Attacking Without Announcing
We talk a lot about the advantages of extreme connectivity
and information availability,
but too little about how our company,
client and even personal data is secured.
Here we want to guide you on some management policies
we suggest you can take advantage of
to determine with high precision
how secure your information and systems are
and how effective your defense measures are.
We also want you to realize
what could happen if you don’t apply these policies.
From our experience,
we know that business leaders usually assume that
buying more technology would resolve all their security problems.
In fact,
such a “solution” could worsen the situation,
because poorly implemented, built or configured technology
is the source of all security vulnerabilities.
On the other hand,
for modern companies,
protecting their information by making it inaccessible
or keeping it on paper is no longer viable.
In a world where digital transformation is the norm,
exposing more information to the client is a must.
This transformation’s benefits
go from improving transaction times and costs
to rising client satisfaction
and reducing or eliminating maintenance windows.
Operations that were only possible on-site
during office hours
are now possible anywhere,
24 hours a day,
seven days a week,
all year long.
However,
the digital transformation can lead us to consider some risks
and raise questions such as the following:
Can the buyer modify the product price before paying for it?
Can an employee know the salary changes of his coworkers?
Can members of the labor union read board minutes?
Can a guest get network administrator passwords?
Can someone connect to the enterprise network,
turn on a mic on the manager’s computer
and listen to conversations?
Can a client modify the website of our company?
Can we check the medical record of another person on the Internet?
Securing your organization
The question
“how secure are my organization’s systems and information?”
is answered by making real,
ethical cyberattacks.
There are several names for this:
ethical hacking,
penetration testing,
red teaming,
among others.
Five management policies are derived from this approach:
-
Continuous attacks:
Attacks on your organization’s systems
must be performed to find vulnerabilities
that allow malicious attackers to take control
of your operations and information assets.
The word “continuous” means that
these attacks must follow a specific and stable frequency
(quarterly, biannual, etc.).
When this policy isn’t clear,
organizations tend to stop further attacks
with the excuse of being unable to fix the vulnerabilities found
in the previous cycle.
Once your organization wisely applies this policy,
you can take a step forward to the next one. -
Zero-knowledge attacks:
It makes no sense that attackers (red team)
perform security testing when defenders (blue team)
know the times and places of their intrusions.
It’s absurd that,
in these attacks,
red team members report progress
or request permissions from blue team members,
organization staff with links to defense software/hardware vendors
or bosses involved.
In order to know with certainty the security level of your company,
these exercises must be as close to reality as possible.
In real life,
malicious attackers will not notify when,
how and where they might attack,
what techniques they might use,
what their penetration level is,
what machines they own
and what information they have disclosed.
Because of this,
your organization should have restricted privileges
for acquiring information about the security testing.
Only a minimum amount of personnel should know about it.
This is known as a zero-knowledge policy.
Security exercises: red team vs. blue team (image taken from here).
This policy implies that
those responsible for your organization’s security
should not be the ones
to organize and coordinate ethical hacking tests.
Knowing about the attacks in advance,
they may show tendencies
to prepare for them unrealistically,
seek to limit their scope to strong zones
and avoid disclosing critical vulnerabilities to their managers
so as not to jeopardize their current positions.
And although it is now trendy to have purple teams,
a combination of attackers and defenders,
you should maintain a clearly defined objective:
to know your security level precisely.
These mixed teams can contaminate test results
due to a conflict of interest
in the company’s organizational design.
To proceed on the basis of this policy
gives you an outstanding advantage:
knowing your organization’s actual detection and reaction capabilities
in the event of an attack.
If the blue team doesn’t know
whether the attacker is a white hat hacker
(i.e., red team hacker)
or a black hat hacker
(i.e., malicious hacker),
it will always be in a state of alert
and respond according to defined procedures:
blocking, reporting, incident handling, etc.
-
Relentless response:
React relentlessly to every detection
regardless of the hackers’ intentions.
This policy allows you to keep the incident response engine well oiled,
evaluate the quality of the hired red team
and the efficiency of your defense investments,
and also helps you achieve cost reductions
or apply penalties
that make attack exercises pay for themselves
after some frequency.
Continuous protection of business information (image taken from here).
-
Total intrusion:
This policy is the direct implication of the previous two.
The red team must have a complete authorization on paper and email
and all forms of legal protection
from the company’s highest authority
(i.e., CEO or manager)
to apply any offensive tactics
to obtain information, modify data,
access workstations or shut down services.
Everything should be allowed to ensure maximum severity
and compromise security at the highest level.
If this policy is not put into practice,
the ethical or white hat hackers you hired will have their hands tied
and will be limited in their identification of vulnerabilities.
They will have restricted possibilities to explore paths
through which malicious attackers could move
and to detect the security issues
you should remediate.
In the end,
if they don’t find anything significant
in the penetration testing,
it will surely be due to the limitations
you imposed on the red team.
Consequently,
your uncertainty about your organization’s security could increase or,
to make things worse,
you could mistakenly think that everything is safe. -
Coherence:
If you ask managers,
“Between availability and confidentiality,
what is most important?”
Most of the time,
the answer will be “both.”
But if you ask them
“Would you shut down your servers
given an attacker’s presence?”
Answering “yes” would place confidentiality above availability.
However,
the typical response is that
they would keep their servers running
and try to deal with the attacker.
It is common among organizations
to have availability at a higher level
than confidentiality and integrity
in the precedence list.
While availability is for them
the most important element of the triad,
it is paradoxical that
many don’t authorize red teams
to test their defensive capabilities against DoS
(denial of service) attacks.
In this case,
the invitation is the following:
turn your restrictions into motivations
to receive attacks from a red team.
In this way,
you can verify with the help of an ally
how vulnerable your company is to malicious attackers.
Conclusion
Applying these simple policies,
Continuous attacks, Zero-knowledge attacks,
Relentless response, Total intrusion and Coherence,
you can know how secure your systems really are,
improve their security at a whirlwind pace
and save money.
You don’t have to buy technologies
that generate huge, incomprehensible vulnerability reports,
many with false positives
and a lack of context
about the real impact of vulnerabilities on your organization.
Would you like to assess your systems’ security
with the help of the largest red team in the Americas?
Don’t hesitate to contact us!
*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Rafael Alvarez. Read the original post at: https://fluidattacks.com/blog/attacking-without-announcing/
